In 2022, the average cost of a data breach in the financial services sector was $5.97 million. Financial institutions are heavily targeted and regulated because of the amount of Personally Identifiable Information (PII) and Payment Card Industry (PCI) data they have.
External threats and hacking tend to make the news, but managing threats from current employees and partners with privileged access to sensitive data is also critical. Without a first line of defense, your data is exposed and available to risk.
Here are five use cases for protecting your sensitive data.
Stop Unauthorized Use of Confidential Data
Allow employees and contractors to work with confidential customer data while minimizing the risk of a data breach by sharing it with unauthorized users.
Your employees access sensitive and confidential customer information so they can do their jobs. Once the data leaves the protected confines of an information repository, file share, or cloud-based service, your authorized users can share it with anyone, do anything with it and compromise your customer’s confidential information. You may be subject to regulatory fines, not to mention losing customers because they cannot trust you to maintain their confidentiality. You need to persistently protect confidential data, so that customer information is protected regardless of where it goes and who has it.
As an example, a former employee of a large financial company pleaded guilty to stealing confidential data from about 730,000 customer accounts. He copied names, addresses, account numbers, investment information, and other data to his home computer so he could work on it. While improperly accessing the information, he was interviewing for a new job with two competitors.
Fasoo Enterprise DRM protects customer information by encrypting the files and applying persistent security policies to protect them regardless of where they are or their format. Once the data is protected, you can safely share sensitive files through email, USB drive, external portal, or any cloud-based file-sharing site. The files are not accessible on unmanaged devices, including personal PCs, unless you choose to allow that. File access is tracked in real-time for precise auditing, and you can revoke access instantly. Fasoo not only ensures that you meet privacy regulations and safeguard customer confidentiality but truly protects and controls sensitive information while at rest, in motion, and in use.
Safeguard M&A Deals by Limiting File Access
Protect M&A transactions so that only deal participants can securely share confidential documents.
Mergers and acquisitions (M&A) often involve intensive collaboration between investment bankers, lawyers, accountants, auditors, and other deal participants from different companies. They share countless confidential M&A documents, and it is crucial to safeguard them during and after the process. Deal participants may download and share sensitive documents from a virtual deal room to non-participating members or other unauthorized users, deliberately or by mistake. This could put your deal at risk. All sensitive documents in local servers, cloud storage locations, and personal devices should be discarded once the M&A project is complete.
Fasoo Enterprise DRM provides data-centric security to secure virtual deal rooms. All M&A-related documents in the virtual deal rooms are automatically encrypted at download, and only specific groups can access the protected documents. After closing an M&A deal, the deal room or other repository stores the final copies. All transaction documents on desktops, on mobile devices, in email, on file servers, and other storage locations are revoked by the security administrator, disabling user access to all other copies.
Allow users to view sensitive data without compromising privacy or Security
Defend against unauthorized screen captures and sharing of sensitive information.
Most customer service and contact centers use terminal sessions or remote desktops to control access to highly confidential information in databases and websites. Financial institutions protect information while it is within a database but struggles to protect data when viewed within the terminal session or remote desktop. Protecting data from users who click the print screen key, run screen capture tools, or take pictures of the screen with a phone is one of the many challenges companies face in preventing data breaches.
Fasoo Smart Screen allows specific groups to access terminal or server-based computing (SBC) consoles while preventing the user from capturing sensitive data. When an authorized user accesses sensitive data, the user cannot take a screenshot, and a visible watermark displays on the screen showing the user’s name, company information, IP address, time, and date. This deters the user from taking a picture of the sensitive data with their phone and prevents computer image capture tools from taking a screenshot and sharing it with unauthorized people.
Protect PII Documents Handled by Authorized Users
Keep PII documents secure and only accessible to authorized users.
Financial organizations deploy firewalls, DLP, full disk encryption, and network transport encryption (TLS/SSL) to prevent data loss from unauthorized users. Threats from authorized users are increasing, whether accidentally or deliberately. Data breaches often result in serious litigation and severe contingent liability. Users send PII information to the wrong person through email deliberately or by mistake. Unprotected sensitive documents residing on an employee’s PC or in another storage location can increase the risk of a data breach.
Fasoo Data Radar allows financial institutions to discover sensitive data based on content patterns and enforce policy (encryption/re-classification) on the data without user intervention. It automatically detects and encrypts or reclassifies documents containing PII while the documents are in use. A central security policy continuously discovers and encrypts unprotected documents as they appear on PCs, file servers, and other locations. Dynamic access controls limit what a user can do once they open the document to protect your PII from misuse and potential litigation from a data breach.
Secure Data Downloaded from Databases and Information Systems
Automatically protect financial and customer reports downloaded from database-driven systems.
Financial organizations maintain relatively strong protection policies for structured data in databases using various security tools or techniques. When authorized users access this structured data for legitimate purposes like data mining or other analysis, they can extract or export the data into XLSX, CSV, or PDF files. This new unstructured data is vulnerable to misuse and often overlooked as a source of a data breach. Allowing authorized users to download structured data into files while maintaining persistent protection of sensitive data is critical to protecting your customers and your business.
Fasoo Enterprise DRM automatically encrypts and applies protection policies to reports when saved (localized) to desktops. For example, when an authorized user extracts structured data and saves it in XLSX/CSV format, the files are automatically encrypted and only accessible by authorized users. When a user copies the file to an external storage device or a cloud location or shares it through email, unauthorized users are not able to access the file. This ensures your sensitive data remains in the hands of authorized users.
Learn more about how Fasoo protects sensitive data and prevents data breaches in Financial Services.
IT, security, compliance, and risk management leaders need a reference of terms, acronyms, and key people in the enterprise digital rights management (EDRM) domain. Some terms may be confusing since different companies use different terms for the same thing.
This Enterprise DRM Glossary will be updated regularly and provides clarity for leaders and practitioners. The EDRM glossary draws on various sources, including books, periodicals, websites, subject matter experts, and Enterprise DRM users.
We welcome your feedback and suggestions of terms to include. Contact us at info@fasoo.com.
CAD security, also referred to as CAD file security or CAD protection, describes the methods, means, and measures available to protect specifically Computer-Aided Design (CAD) / Computer-Aided Manufacturing (CAM) / Computer-Aided Engineering (CAE) tools and documents against unauthorized access and use.
CAD files, such as 3D CAD drawings, are unstructured data. Manufacturing companies and design engineering firms looking to protect CAD files face particular challenges. The primary reasons are:
the wide range of niche applications and file formats not covered by information rights management solutions for common office document formats (example: Microsoft AIP),
the lack of end-to-end encryption and loss of oversight and control in many organizations when sharing CAD files by email or in the cloud.
Examples are the automotive industry and the mobility sector in general, where CAD files often contain a company’s most valuable know-how. CAD file protection gaps at the endpoint and remote work risks were exacerbated during the coronavirus pandemic. They contributed to an increase in IP theft by insiders and data exfiltration by external threat actors.
In response, manufacturers are adopting Enterprise Digital Rights Management – Enterprise DRM – to ensure end-to-end CAD file protection and centralized policy management and control beyond the company’s IT perimeter. This approach is based on a data-centric security model. Solutions such as Fasoo Enterprise DRM ensure CAD file security at rest, in transit, and in use. Derivatives, for example, 3D models excerpted as PDF files, automatically inherit the file security of the enterprise DRM-protected CAD file, which can include secure print protection.
A centralized security policy simplifies managing permissions on documents and ensures a consistent policy across an organization. The policy is persistent yet flexible and allows the organization to manage security rather than relying on individuals to make security decisions. Compare this to the built-in PDF password protection feature provided by Adobe.
From the organizational perspective, the latter means putting the document’s fate into the hands of its creator. The business relinquishes control to individual users. When they leave, the company is forced to dedicate valuable resources to special recovery efforts, or even loses access completely. It also forces users to become security experts.
In comparison, the advantage of the centralized policy management provided by Fasoo Enterprise DRM is that the organization always maintains control over its documents and what happens with them, wherever they go. This includes changing policies for a user or group at any time, regardless of where the document resides.
Users can be granted the right to maintain complete control over their documents, in those situations where it’s warranted. This provides a layered approach giving users and groups autonomy for certain documents while maintaining centralized control of the organization.
For example, a Finance user creates a document and it is encrypted upon saving it. All users in the Finance group automatically have access to the document. The user decides she needs Legal to review the document, so she can manually grant them access. If the user leaves the company or moves to another department, the document is still accessible by Finance and Legal. The organization maintains control.
For solutions without centralized control options, like Microsoft AIP, it is difficult to implement and change security policies with many users and constantly changing roles. The considerable burden of keeping up-to-date and in sync with the needs of departments or business units often falls on the individual creator of the document.
*
Data-centric Security
The data-centric security model aims to enhance information protection regardless of where the data resides or with whom it is shared. It is considered a core part of a Zero Trust approach to information security. Data-centric security is independent of networks, servers, locations, and devices and marks a departure from the traditional “device-centric” or location-centric security model.
Enterprise DRM applies the data-centric security model by taking a file-centric approach to secure unstructured data, such as MS Office documents, CAD/CAE files, PDF, plain text, and other digital media file types. This approach means that, in contrast to other methods, persistent encryption and Identity and Access Management (IAM) are tied to and travel with the file.
Data-centric security management requires organizations to know what data they have and its security and privacy requirements. To make data-centric protection of unstructured data feasible at scale, they have to rely on standardized mechanisms to catalog and categorize data. Fasoo Enterprise DRM, for example, applies file-centric protection based on data classification tags to
Encrypt the file contents: If exfiltrated, the sensitive data is obfuscated and is of no value to threat actors;
Limit file access to authorized users only: Users can be individuals, departments, business units, or defined by role or title.
Historically, organizations adopted file-centric solutions for specific use cases. Modern solutions take advantage of the latest in software tools like RESTful APIs and open operating system standards to work transparently across the enterprise. Centralized policy management ensures IT and data owners can grant access and apply protection consistently across all networks, devices, endpoints, and cloud services.
Data Loss Prevention (DLP) describes tools and methods to prevent sensitive data, such as Personally Identifiable Information (PII) or business-critical intellectual property, from leaving an organization without proper authorization.
To that effect, DLP software categorizes documents and emails and analyzes user behavior to restrict the transfer of data. The underlying rules and filters have to be maintained and adjusted by IT in coordination with other stakeholders to minimize workflow interruptions.
Organizations can apply DLP only to their internal data flow. Other than Enterprise DRM, it does not protect confidential information once data has been intentionally or unintentionally exfiltrated. A typical example is an email mistakenly sent to the wrong address. Like antivirus software or web filters, DLP components have become a staple of information security in the enterprise. As part of the point solutions mix, they often complement particular applications or tools, such as cloud security services or Microsoft AIP.
Larger organizations frequently leverage DLP to ensure compliance with data protection regulations such as GDPR, CCPA, or HIPAA. Critics blame DLP for creating a false sense of security and point to its blindspots (USB drives, SaaS file-sharing applications, enterprise messaging apps) and its focus on internal file downloads and sharing.
Digital Rights Management (DRM) describes the tools, systems, and data-centric process used to automatically encrypt files and control file access privileges dynamically of unstructured data at rest, in use, and in motion. In the consumer space, DRM aims to control the use, modification, and distribution of copyrighted material, such as computer software and multimedia files.
In business, Enterprise DRM ensures data-centric document protection inside and outside the IT perimeter and along an organization’s supply chain to protect sensitive information against theft or misuse by insiders and unauthorized access from the outside.
The term encryption describes the cryptographic transformation of data into a form that conceals its original content to prevent it from being known or used. Decoding the encoded information requires the correct key.
Enterprise DRM provides an additional layer of security through its data-centric combination of encryption and access control. Fasoo Enterprise DRM, for example, encrypts files containing sensitive unstructured data and limits access to the encrypted file to authorized users only within their given permissions. This approach helps organizations minimize and mitigate risks such as data leaks, insider threats, and advanced persistent threats (APT).
Fasoo EDRM encrypts files using a Packager. DRM-enabled documents cannot be opened without a DRM Client, which requests a “license” from the DRM Server. The DRM Server issues that license according to the security policy for the user and the document, which can be applied and flexibly adjusted using centralized policy management and exception handling. The DRM Client then decrypts the DRM-enabled document and sends the data to a rendering application, such as Microsoft Word, a PDF reader, or a CAD engineering tool.
Document encryption with Fasoo is based on FIPS 140-2 validated cryptographic modules that meet the requirements of the Cryptographic Module Validation Program (CMVP) run by the United States National Institute of Standards and Technology (NIST). Fasoo uses AES 256-bit encryption which is a symmetric key encryption using block ciphers. This is the same encryption the National Security Agency (NSA) and banks use to protect sensitive data. Using FIPS-validated modules means it delivers the encryption strength required for organizations that are part of or do business with the U.S. federal government.
Enterprise Digital Rights Management (Enterprise DRM, EDRM)
Enterprise Digital Right Management (EDRM)enables organizations to persistently protect, control and track sensitive documents at rest, in transit, and in use. Also referred to as Information Rights Management (IRM), this data-centric protection applies to any device throughout the entire document lifecycle.
By encrypting files and leveraging granular controls through centralized policy management, Enterprise DRM allows organizations to limit viewing, editing, printing, and sharing of sensitive content with unauthorized users within and outside the organization’s IT perimeter.
Historically, the challenges associated with persistent policy enforcement account for the reputation of many enterprise DRM solutions being complex to deploy. This perception has changed, and industry observers agree.
According to Gartner analysts, enterprise DRM now “is one of the only mechanisms for retaining control of unstructured data transferred to business partners in secure collaboration scenarios.”
Industry observers credit Fasoo Enterprise DRM with driving much of this development. Its flagship installation spans over 170,000 internal users and over 700,000 total users of affiliates and partners worldwide.
An insider threat is defined as the potential for a person with authorized access or understanding of an organization to harm that organization. This harm can include malicious, complacent, or unintentional acts that negatively affect the organization’s integrity, confidentiality, and availability, its data, personnel, or facilities.
Insider threats, such as IP theft by employees or contractors, are among the main risks to be considered when securing sensitive information in the form of unstructured data, such as office documents, PDFs, or CAD files. According to a 2020 survey conducted by the Ponemon Institute (PDF) and sponsored by ObserveIT and Proofpoint, 60% of polled organizations worldwide encountered more than 30 insider-related incidents per year involving digital assets.
The National Insider Threat Awareness Month library at the Center for the Development of Security Excellence offers guides, real-world case studies, videos, and web-based games to help organizations detect, deter, and mitigate insider threats.
The term Intellectual Property Theft (IP Theft) describes the act of stealing ideas, creative expressions, inventions, or trade secrets – collectively known as Intellectual Property (IP) – from the person or company who owns them. IP theft is against the law. Patent, copyright, and trademark laws, among others, aim to protect intellectual property owners.
In the digital sphere, most intellectual property exists in the form of unstructured data. Movies, music, and computer software all can be targets of IP theft, as can confidential office documents (example: pricing discounts), PDF files (example: employee W-2 forms), images (example: product concept studies), or CAD templates (example: digital blueprints of manufacturing designs).
Who is committing IP theft? According to experts, insiders – i.e. (former) employees, contractors, or supply chain partners – are behind most IP theft cases. Many perpetrators knowingly or unknowingly play into the hands of people outside their organization, such as agents for a foreign power or corporate spies hired by a competitor.
Western counterintelligence professionals attribute the rise of IP theft in the U.S. and the European Union mainly to China. Its Thousand Talents Plan, conceived by the Chinese Communist Party, drives the recruitment of engineers and scientists in the US and the EU as part of a state-sponsored IP theft campaign on a global scale.
In more than 50% of documented IP theft cases, the perpetrators were employees who quit and took proprietary information with them because nothing stopped them. This risk has significantly increased with the shift to remote work caused by the COVID-19 pandemic.
How can companies prevent IP theft? Increasingly, larger organizations deploy Enterprise Digital Rights Management (EDRM) to secure documents and eliminate opportunities for IP theft across the enterprise and along its supply chain. Information security experts see EDRM as uniquely positioned for preventing IP theft respectively further damage, in cases where protected files may have been exfiltrated.
Information security professionals describe mainly three reasons for Enterprise DRM’s effectiveness in protecting large organizations against IP theft:
EDRM combines access control with data-centric security that protects files at rest, in use, and in transit. This device-agnostic protection applies inside and outside the organization’s IT perimeter from the point of creation throughout the document lifecycle.
Centralized policy management and flexible exception handling enable IT and document owners to eliminate IP theft blindspots. It also lets them quickly adapt document use policies to meet the demands of dynamically changing environments, such as remote work scenarios (see also: Secure Print). Fasoo Enterprise DRM is an example. It empowers organizations to maintain granular control over sensitive data even if that information is shared – intentionally or mistakenly – outside the organization.
EDRM delivers comprehensive document security at scale, encompassing the broad spectrum of document formats and applications common in globally operating organizations. Fasoo Enterprise DRM, for example, supports more than 230 file formats, including a wide range of PDF and CAD types.
In the fight against IP theft, the capabilities listed above put designated EDRM solutions like Fasoo Enterprise DRM at a distinct advantage. Point solutions developed to protect primarily one document software ecosystem and a limited number of 3rd-party file formats (example: Microsoft AIP) cannot provide the same coverage.
Azure Information Protection (currently known as Purview Information Protection) is a data protection solution developed by Microsoft. It lets organizations discover, classify, and protect documents and emails. AIP was designed primarily to protect the document ecosystem of Microsoft Office and a limited number of third-party file formats. It focuses on end users or data owners making all security decisions on documents rather than allowing a centralized approach to security.
Purview Information Protection (formerly known as Azure Information Protection and Microsoft Information Protection) is a data protection solution developed by Microsoft. It is part of the larger Microsoft Purview suite of tools that lets organizations discover, classify, and protect documents and emails. It was designed primarily to protect the document ecosystem of Microsoft Office and a limited number of third-party file formats. It focuses on end users or data owners making all security decisions on documents rather than allowing a centralized approach to security.
Many cybersecurity professionals consider PDF security an oxymoron because of the weaknesses of the password protection and encryption of Adobe’s platform-independent file format.
Depending on the use case, adequate PDF document protection can require a combination of various 3rd-party tools and methods. Examples are PDF password protection, encryption, on-screen protection, secure print, PDF sanitization, PDF usage monitoring.
In large organizations, the number of PDF files and versions to be secured adds to the challenge. IT can overcome this challenge with Enterprise DRM, which provides an additional layer of PDF protection.
One example is Fasoo Enterprise DRM, which integrates the most powerful PDF protection mechanisms. It supports more than 230 file formats and ensures that sensitive PDF files are protected at rest, in use, and in transit.
Permissions are required to perform a particular action, such as View, Edit, and Print, on a document secured with Enterprise DRM. A user can only perform an action on a secured document when granted the proper permission, either as set via centralized policy management, a data owner granting specific permission or upon requesting provisional permission.
Personally Identifiable Information (PII) is defined as any data that permits the identification, by either direct or indirect means, of an individual to whom the information applies.
PII can directly identify a person (examples are name, address, phone number, social security number, any other ID number or code, and email address) or allow indirect identification in conjunction with other data elements. Such elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors.
PII is often maintained in the form of unstructured data, i.e., in Microsoft Office documents, PDF files (example: W-2 records), or computer printouts. Files containing PII are best protected by encrypting them at the point of creation. Adequate protection covers the document lifecycle in its entirety and includes provisions for data transfers to other media, i.e., screen photos or print.
When a user does not have permission for a specific action in a document secured with Enterprise DRM, the user can request temporary permission or exemption to the current security policy. If approved by the administrator or document owner, the user can perform that action with the given provisional permission for a time period defined by the policy.
Secure file sharing (also referred to as secure file exchange) describes the process of making unstructured data available to other authorized users while preventing access by others who lack proper authorization. In business environments, secure file sharing with Enterprise DRM enables individual users to transfer Microsoft Office documents, audio or video files, images, PDFs, or CAD drawings, for example, within or outside their organization, without exposing sensitive information to data theft or manipulation by unauthorized parties.
Modern digital rights management solutions enable secure file exchange based on a data-centric security model. This approach overcomes the weaknesses and limitations of traditional device-based security or file password protection (see also: PDF Security and CAD Security). It also surpasses the protection provided by file-sharing tools such as Box, Dropbox, or OneDrive, which offer encryption in the cloud and in transit, but fall short once a document reaches the recipient. Fasoo Enterprise DRM, for example, automatically encrypts each file at the point of creation and applies access policies that are centrally managed.
Files secured with Enterprise DRM remain protected no matter where they go. This way, the data owner remains in control of if and how a shared file can be accessed, regardless of its location. The protection is device-agnostic and travels with the file. Users can securely share files without risking protection gaps on portable storage media, cloud storage services, home office printers, or when documents are sent as email attachments, for example.
Source: Enterprise DRM Glossary. Reference: Data-centric Security (Fasoo Blog Archive)
*
Secure Print (Secure Printing)
Secure print capabilities that enable the prevention and detection of document leaks or exfiltration via print output. In Enterprise DRM, policy-based print protection lets data owners centrally set and manage print rules for printing on-premises or remotely and watermark unauthorized printouts.
Fasoo Enterprise DRM, for example, takes a printer-agnostic approach to secure printing. This approach eliminates problems with using different printers or print drivers. Here’s how it works:
The basic print permission setting is part of the Fasoo-encrypted document. In addition, Fasoo’s secure printing component – a.k.a. Fasoo Smart Print – lets organizations apply print protection policies on various levels for plain and EDRM-secured documents alike.
85% of today’s digitally stored information consists of unstructured data, which means it lacks a pre-defined data model or internal data organization. Examples include office documents, CAD/CAE files, PDFs, emails, videos, blogs, customer support chat logs, and social media.
Structured data, by comparison, is defined as data that is easily grouped, processed, and analyzed by rows and columns in relational databases. It only accounts for 15% of today’s information.
Unstructured data poses numerous security and regulatory compliance challenges. They are not addressed by the traditional network, device, and application cybersecurity and risk management approaches. This coverage gap is the reason why storing and sharing sensitive information in free-form documents creates numerous opportunities for leakage or exfiltration of proprietary or otherwise sensitive data.
Confidential files containing intellectual property, PII, or printouts of HIPAA-protected personal health information (PHI) are three examples of unstructured data potentially at risk of unauthorized access due to negligent or malicious insider behavior or cyber-attacks.
Sensitive unstructured data falls into two broad categories: regulated or unregulated. The adequate protection of regulated unstructured data is required by law (examples: GDPR, CCPA). Unregulated data includes both business-sensitive and publicly known information. Determining what content requires protection is left to the discretion of the business that owns, stores, or processes it.
Zero Trust document protection describes minimizing uncertainties in enforcing accurate access decisions regarding unstructured data. It delineates the shift from a device and location-centric security model to a predominantly data-centric approach.
The goal is to prevent unauthorized access to files containing confidential data by making access control enforcement as granular as possible. The Zero Trust approach requires fine-grained security controls between users, systems, data, and assets. Enterprise DRM is considered a cornerstone of any viable Zero Trust document protection strategy, according to document security experts. They point to its data-centric security model, strong encryption, and tight integration with all leading identity and access management systems.
The Zero Trust approach achieved official cybersecurity policy status with the 2021 Executive Order on Improving the Nation’s Cybersecurity issued by the Biden administration. While the directive primarily aimed to move federal agencies to secure cloud services and a zero-trust architecture, it since has sent ripple effects through the private sector.
January 28 marks Data Protection Day (or Data Privacy Day), an international effort to create awareness about the importance of respecting privacy, safeguarding data, and enabling trust. For companies entrusted with personal data, this day is the opportunity to take stock and ensure everyone’s data remains safe and does not get into the hands of unauthorized people.
The privacy world has seen wholesale changes to privacy legislation across the world, and a huge shift in public awareness. One of the earliest data laws in the US was the Privacy Act of 1974. This law codified how federal agencies can collect, manage, and use personal information. With the introduction of the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada in 2000, countries codified efforts to seriously tackle the privacy of information in our digital world. The EU introduced GDPR (General Data Protection Regulation) in 2016 which levied punitive damages for violations. In the US, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) moved the conversation further into addressing potential data breaches of Personally Identifiable Information (PII).
What is Personally Identifiable Information (PII)?
Personally Identifiable Information (PII) is any data that permits the identification, by either direct or indirect means, of an individual to whom the information applies.
PII can directly identify a person (examples are name, address, phone number, social security number, any other ID number or code, and email address) or allow indirect identification in conjunction with other data elements. Such elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors.
What is PII compliance?
As more of our world goes online, more of our data is subject to privacy legislation and compliance. PII compliance involves the standards organizations must maintain to fulfill PII regulations.
While a lot of data is in databases, the major risks are data that is in reports and documents or unstructured data. These have a tendency to move around from PCs to the cloud to mobile devices and are difficult to track. Becoming compliant is to discover, classify and protect these files while limiting access to only authorized people.
1. Discover all PII
The first step to safeguarding PII is to find it. You can’t protect what you can’t find. By locating and identifying PII, you can determine what to do with it. Once you accurately identify the PII that needs protection, the next step is establishing its storage location. In most cases, you shouldn’t store PII on mobile devices, user PCs, and general cloud storage. It’s better to find a secure repository, but in many cases, that’s not convenient or practical.
You also have a problem with file derivatives and copies. Every time someone saves files as a PDF or runs a report and downloads data to a spreadsheet, you have another copy of sensitive data. This leads to the question of whether you should be keeping PII in the first place. Is it necessary for your business? Having it can inevitably lead to a data breach.
2. Classify PII
After discovering PII, you need to classify or label it. This organizes the data into relevant data types which helps determine who should access it and how to protect it.
The easiest way to classify data is public versus non-public. This may seem oversimplified, but either the data should be available to anyone or it shouldn’t. If that is not granular enough, you can classify data by how much it will cost you if it is compromised or illegally exposed.
Below are standard classifications you can use:
Public: This is the broadest category because it consists of data already in the public domain and is not sensitive.
Confidential or Private: This is more sensitive, and organizations should allow only their employees to view and process it.
Restricted: This is very sensitive data and could result in fines or litigation if it is leaked or gets into the wrong hands.
3. Protect PII
Once you organize your PII, you can protect it and ensure that only authorized people can access the data. This is critical for proper governance and risk mitigation strategies. The most effective protection is to encrypt the files and apply security policies that control who can access the data and what they can do with it.
A common protection approach is trying to track data flow through the organization. While that has value, trying to monitor where files go is time-consuming and ultimately not very important. The reason many do this is to limit access to file locations, whether in the cloud or in on-premise storage. Unfortunately, this is like playing whack-a-mole. Once you secure one location, another appears.
A better approach is to protect the files themselves and control them regardless of location. This allows the data to travel naturally from person to person in the course of business. Your data is always protected regardless of where it is and who is trying to access it.
To ensure PII isn’t exposed to unauthorized access, companies need clearly defined roles implemented throughout the organization. Once identified, you can apply security policies to sensitive files that limit a user’s action once opened. For example, someone in HR may have a legitimate reason to View and Edit a document with an employee’s PII, but that person’s manager should only be allowed to View it, or maybe not have access at all.
Access control and permissions should be dynamic to address changing roles in the organization. If the HR person changes departments and no longer needs access to PII, her access should change. A file she once opened should be inaccessible, regardless of where it is or even if she saved it to another format. This ensures no unauthorized people can access this sensitive data.
Protection rather than Litigation
According to privacy regulations and data breach notification laws, if data gets into the wrong hands but the files are not in human-readable form, there is no breach. If a computer or person can’t read the sensitive data, you have not violated any laws.
Rather than focusing on location-based protections and monitoring where data travels, encrypt it and assign a dynamic security policy that protects PII regardless of where it is. This ensures if (or when) your data gets out, it won’t cause any harm to your organization.
As more operations move to the cloud, employees, contractors, and partners access sensitive data through a browser or remote desktop. Frequently users run reports to localize the data for further analysis.
Protecting this sensitive data when viewed on your computer or mobile screen is critical to protect the data from unauthorized use and ensure you aren’t subject to litigation and fines for violating privacy legislation.
Here are four use cases for using Screen Security to protect your sensitive data.
Protect PII and PHI on the screen
Allow employees and contractors to work with sensitive data while minimizing the risk of a data breach by sharing pictures of sensitive data with unauthorized users.
ERP, CRM, EMR, financial, and other business systems provide users with easy access to detailed personal and company information. This information is not adequately protected against malicious or inadvertent screen capturing, especially with so many remote workers and people working from home.
Users can access sensitive data on web-based applications and share it with anyone. They can capture the screen content with an image capture tool or by taking a picture with a phone. This can lead to a data breach that violates privacy legislation and can lead to litigation, fines, and reputational damage.
Fasoo Smart Screen can block screen capture attempts from specific applications and websites by blocking access to sensitive content with a secure image warning users they are trying to copy sensitive data. By allowing specific users to access applications while preventing them from capturing sensitive data, you minimize potential data breaches. You can even forcibly minimize target applications when known capture tools are launched to deter further sharing of sensitive data.
Prevent pre-release of information in files and on internal websites
Stop data leaks by blocking screen capture attempts of product designs, media, and other sensitive information in files and on internal websites.
Internal websites showcase new products and other strategic information that employees and contractors need for planning marketing and sales activities. Sometimes, these users take pictures of this information and use it for personal gain, send them to competitors, or share them on social media.
These actions may cause competitive pressures that can lead to loss of sales or market share if your competitors get ahold of them. Since anyone with a phone can take a picture and share it, you need to deter this from creating a loss of competitive advantage.
Fasoo Smart Screen can block screen capture attempts of sensitive data on websites and apply visible watermarks to trace potential data leaks to the source. Dynamic watermarks appear in certain applications and specific URLs showing the user’s name, IP address, and timestamp to deter screen capture. By blocking screen capture tools on specific URLs, administrators can control sharing of sensitive data and even see image logs of attempted screen captures.
Protect sensitive data in call and contact centers
Minimize the risk of data leaks by applying a visible watermark to trace sensitive data back to call or contact center employees.
Customer service and contact centers use virtualized or remote desktops to control access to highly confidential information. Workers could take a screen capture of PII or take a picture with their phone and share that information with unauthorized people outside the company. This is especially risky with outsourced vendors who may have a high turnover of employees and contractors, and who allow many people to work from home.
Anyone with sensitive data on the screen can easily use a screen capture tool or take a picture of the screen with a phone and share it with colleagues and friends. If this information becomes public, your company may be subject to fines and litigation.
Fasoo Smart Screen discourages screen capture attempts by applying visible watermarks with user and company information to trace potential data leaks to the source. A customizable, visible screen watermark appears on websites, specific applications, and sensitive documents showing the user’s name, company name or logo, IP address, and timestamp. Administrators can see image logs of attempted screen captures. The visible watermarks deter leaking sensitive data since the user’s name is on the captured image.
Safeguard sensitive financial information in documents
Reduce the possibility of customer and supply chain loss by blocking screen capture attempts of sensitive financial information in files.
Employees and contractors share documents containing sensitive financial information as they work with customers and suppliers. Someone may create a document and share it or run a report from a financial system. The users could take a screenshot of the content and share it with anyone, either inside or outside the organization.
If a public company shares this data prematurely, it may disrupt markets and run afoul of SEC rules. If competitors have this data, they may undermine your supply chain or make a run at your customers with discounts and other strategies to steal them. Since anyone with a phone can take a picture and share it, you need to stop this from causing problems.
Fasoo Smart Screen can block screen capture attempts of sensitive data in documents and apply visible watermarks to trace potential data leaks to the source. Dynamic watermarks appear in sensitive documents and deter users from sharing images of them since the user’s name, timestamp and other identifying information are visible. If a user tries to take a screenshot of the document, an image appears over the content preventing the attempt. Administrators can see image logs of attempted screen captures to help address potential leaks with users.
Learn more about how Fasoo Smart Screen can help you protect sensitive data shared on screens.
Zero Trust is a major trend in 2022 and one that affects public and private sector organizations alike. Last year when the Biden administration in the US issued its Executive Order on Improving the Nation’s Cybersecurity, zero trust was a major component of this initiative.
Organizations implement traditional perimeter-based security strategies on the assumption that the perimeter is secure inside. Zero trust assumes that no person or device inside or outside of an organization is trusted. It is a system that requires thorough verification of all users, data, and devices, and allows only minimal privileges.
The concept of zero trust is not new. It was suggested in 2010 by analyst John Kindervag of Forrester Research to denote stricter cybersecurity programs and access control within corporations.
Now 12 years later, security experts agree that a zero-trust-based security strategy is needed, not perimeter-based security. The reason is simple. The environment is changing.
Why zero-trust now?
The pandemic-driven transition to a hybrid workplace has become the norm. As telecommuting and remote work becomes common, concerns about perimeter-based security are growing more than ever before. This is because the boundaries of the work environment have become blurred, driven in part by the increased adoption of mobile and cloud services. This will inevitably lead to a security vacuum.
The environment surrounding data security faces a variety of changes, including cyber warfare caused by the conflict between Russia and Ukraine, cyberattacks on companies by hacker groups like Lapsus$, and numerous incidents of corporate data breaches by trusted insiders.
In this environment, it is natural for zero-trust-based solutions to be in the spotlight. It’s the data itself that we need to protect, so we need a data-driven security system that can safely protect our data in a rapidly changing environment.
Zero Trust Data Security
Protecting sensitive data first requires identifying it, classifying or labeling it, and then determining who should have access to it. This requires constant authentication and verification of user identity. Fasoo’s zero-trust approach to safeguarding sensitive unstructured data goes beyond just access controls. It layers three powerful security methods to achieve a strong, proactive first-line defense again external and insider threats.
Encryption
Adaptive Access Control
Control Data in Use
Cloud misconfigurations, user errors, and work from home environments all expose sensitive files to breaches that access control alone can’t prevent. A true zero-trust approach secures the file at all times – at rest, in transit, and while in use – and continuously monitors user, device, and other contexts to adaptively evaluate access permissions.
Encrypt Files
The best way to protect a sensitive file is to encrypt it. It ensures files are protected while at rest and in transit no matter the location or network. This sets the foundation for a zero-trust approach on which other safeguards build.
Automatically discover, classify and encrypt sensitive files when created or modified, all transparent to the user. User errors are eliminated and workflows are uninterrupted.
Encryption keys are centrally held and controlled by the company – not by the user, cloud provider, or any other third party. This is increasingly important in hybrid and multi-cloud workplaces as privacy regulations become more proscriptive regarding data residency and access rights.
Encrypted files ensure any exfiltration of sensitive information is safe from misuse. Many privacy regulations exempt encrypted file exfiltration from breach reporting or significantly reduce any fines. It all negates one of the worst risks related to today’s ransomware threats – exploitation of exfiltrated data.
Apply Access Control
User verification is enforced each time the file is accessed and incorporates contextual information about the user and device to dynamically adapt to grant or deny access.
User access to a sensitive document is automatically applied as part of the initial discovery process with presets that are centrally configured and provide flexible and practical settings. Individual users, departments, roles in the organization, and “all internal share” are examples of preset alternatives.
Fasoo enables a range of other elements, including device identity, time of day, and geolocation to be assessed as part of its adaptive zero-trust access approach. This dynamic linking of multiple verification points ensures the highest degree of trust can be enforced for sensitive data.
While centralized control of document access is the default, the platform provides flexibility so that document owners can unilaterally change access, if business needs dictate. This allows those closest to the data to make security decisions without needing to involve security or IT. Continuous monitoring of user behavior reports such exceptions for line manager and compliance team inspection. Such analytics are also applied to continuous monitoring of device and location information.
Control over Data
Insider threats expose a major gap in many declared zero-trust solutions. Once a verified insider gains access to the file, it’s a free pass to use corporate sensitive data. Joiners and leavers in a transient workforce, work from home environments, and supply chain collaboration opens the door for inadvertent or malicious insider data breaches.
True zero-trust requires control over usage as well as access. Forward, cut and paste, copy, print, and screen capture are examples of the many ways insiders can maliciously or unintentionally expose sensitive information to unauthorized parties.
Usage controls must consider the sensitivity of the data, and the context in which it’s being used and enable a wide range of permissions, from restricting actions to watermarking files, to address insider threats.
Fasoo enables a comprehensive set of file permissions to control what authorized users can and can’t do with a document in use. Central pre-set policies can be implemented at the user, department, or organization-wide level as well as by role (all Directors) or project (M&A, Drug Approval).
Proactive control over data usage is essential to a true zero-trust approach.
Talk with us about how Fasoo Data Security will strengthen your zero-trust initiatives.
Corporate data is the lifeblood of business and because of remote work and constant competitive pressures, it is more vulnerable than ever. Protecting that data while still making it available to those who need it is why many organizations are turning to Enterprise Digital Rights Management (EDRM).
Information security, privacy, regulatory compliance, and data governance requirements drive how we manage corporate data. Business requires us to share sensitive information with employees, contractors, business partners, and customers, but we need a way to do it securely without impacting everyone’s productivity.
The realities of today mean that many of us may work from any location at any time, using any device. Outsourced functions range from finance and human resources (HR) to design and manufacturing. If you outsource manufacturing or finance to a third party, how do you define your corporate boundary for data, since your sensitive information is in the hands of a business partner? Add to this the real threat of external hackers and insider threats from employees, contractors, and the third parties you use for key business functions.
How do you protect the most important information in your business?
Here are 5 reasons why you should seriously consider Enterprise DRM as part of your information security, data governance, and compliance strategy.
Protect Your Intellectual Property
Intellectual property (IP) is a critical asset for your business. It lets you create unique products and services that drive revenue. It differentiates you from the competition and keeps your customers coming back. If this information accidentally or deliberately leaks, you can suffer financial loss and possibly go out of business.
EDRM protects your intellectual property from unauthorized access and controls what an authorized user can do with it. You can grant or block a user’s ability to view, edit, print, copy, and even take a screen capture of the information. You can control derivatives of documents since people share IP in PDF or other common formats with both internal and external recipients. Since you have a complete audit trail of user and document activity, you know if someone accessed the documents inside or outside your network. You can also revoke access or change permissions after you distribute a document if the sensitivity of the information changes or those who should have access to it.
Protect Customer Data
Any business that deals with personal information or takes credit cards must protect it from unauthorized access. Regulations such as GDPR, CCPA, HIPAA, PCI DSS, and other numerous laws mandate that third-party data is under strict control and only authorized people can access it. Violations can result in hefty fines and cause major legal and business problems.
EDRM controls how employees, contractors, and business partners use this sensitive information. It can prevent sharing the data with unauthorized users by controlling access, screen captures, and adding visible watermarks to both printed documents and those viewed on a screen or mobile device. Since third-party data typically has a shelf life, you can limit access to a specific time and revoke access to any distributed files immediately, regardless of location.
Protect Your Customer’s Intellectual Property
You may also be a steward of your customer’s intellectual property. Manufacturing and business services organizations commonly have sensitive designs or client data that is worth stealing. An organization’s supply chain can be the weakest link in its security which makes it an easy target for hackers and trusted insiders. Your customers trust you with keeping their intellectual property safe and out of the hands of their competitors.
Enterprise DRM protects your customer’s intellectual property from unauthorized access. You can automatically encrypt and assign access controls to sensitive documents as you save them. If different groups use this information, you can easily limit access based on projects or customers. If an employee working with one customer’s data accidentally shares it with another customer, you are protected since only authorized users can see and use the data. This provides built-in safeguards for those people working on multiple projects.
Protect Employee Privacy
HR, Finance, and other departments have a lot of sensitive employee data, including social security and insurance numbers, health information, salary data, and the results of drug tests or criminal background checks. Controlling its access and distribution is part of the social and legal compact any employee has with her or his employer.
Enterprise digital rights management can limit access to private information by controlling the users and groups that can see it. You can control access dynamically through your identity access management (IAM) system so that as roles change in your company, so do access rights. For information you share with outside service providers, you can provide read-only copies that you can revoke at any time. Only recipients granted access can see the data, so your employees and outside providers can’t share the data with unauthorized users.
Provide Audit Trails
Regulatory compliance is a requirement for many businesses to prove they can manage critical information in a way that ensures chain of custody and proof that only authorized users had access. Compliance is not just a matter of the law but is generally considered good business practice. Compliant companies can prove they take information security and governance seriously and can use this as a selling point to their customers.
Enterprise digital rights management provides an audit trail of all user and file activities to ensure a chain of custody of information for electronic discovery and proves that only authorized users have access to sensitive data. This helps your organization understand the flow of important information and simplifies eDiscovery in the event of litigation. Since many regulations require you to prove to a regulator that you meet their requirements for protecting privacy, audit trails are easily available in downloadable reports.
Enterprise DRM can help you meet information security, regulatory compliance, and data governance objectives, ensure privacy and protect the digital assets of your company. It is the best way to protect your most important business information and get a good night’s sleep.
Remote work is putting sensitive data at risk. That we can all agree on. Traditional endpoint protection frequently fails. So what about stronger surveillance of remote employees at home?
*
Let’s monitor the heck out of them, shall we?
That seems to be the approach of some financial services firms whose remote workers handle sensitive financial data and Personally Identifiable Information (PII). Is remote work surveillance a good idea?
Perhaps, if your organization is craving attention – from the Washington Post, for example – for all the wrong reasons: privacy concerns, lawsuits, alienated employees and contractors.
“Excessive surveillance,” writes ZD Net’s Owen Hughes, “is having profoundly negative effects on the workforce.”
But does it work?
Why monitor employees at home?
You see, that’s the other catch: it may not be worth the effort and expenses. Digital surveillance, warns Tech Target’s ComputerWeekly (UK), may “increase enterprise risk” by “forcing remote workers towards shadow IT.”
In short, excessive work-from-home surveillance doesn’t only erode trust and productivity. It also results in weaker data protection and employees leaving for the competition.
What’s not to love? Perhaps you agree: pretty much everything, if you value your employees and work culture.
The tips below favor a non-creepy approach that is more sustainable:
5 data protection tips for maintaining trust in the Zero Trust era
Fasoo’s data-centric security model maximizes document protection – not the surveillance of the people handling them from home. Fasoo enables IT to secure and keep tabs on sensitive unstructured data throughout the document lifecycle, instead of putting employees and contractors under home office surveillance.
Stay vigilant; keep watching.
Fasoo Enterprise DRM lets your organization automatically assign file protection without user intervention at the point of creation. Encryption and policies keep the document secured even when it is shared outside the organization by mistake.
Efficient document protection with Fasoo enables your organization to continuously monitor, log, and flexibly change who’s accessing confidential files and how.
Turn your employees’ bedroom nooks into secure print stations.
What would it take, aside from nationwide lease, maintenance, and insurance contracts? The kids giving up their bedroom? A two-camera surveillance system?
Or, less creepy: You deploy Fasoo Smart Print as your organization’s remote network of monitored print stations. Regardless of which physical or virtual printer is used – including the old inkjet in the bedroom nook – IT remains fully in control.
A granular audit trail includes the text or image of the actual printed content. It ensures visibility into all print activities that involve EDRM-secured documents.
Intervene when they take a snapshot.
How do you keep remote employees, in the privacy of their home, from using the Print Screen key, screenshots, or a smartphone to take pictures of confidential information?
Install more spyware and observation cameras? Think about the possible impact on your workforce retention rate in the “great resignation” era.
Here’s a less heavy-handed approach that’s more efficient than excessive remote work surveillance. Deploy Smart Screen, Fasoo’s on-screen document protection. It enables IT to block and monitor screen capture attempts. Administrators can monitor all screen capture attempts and even view an image of the targeted areas.
It may be impossible to keep a determined person from taking photos with a smartphone or camera outside a high-security office area or designated data room. That’s why effective deterrence is essential. Fasoo Smart Screen enables admins to imprint sensitive documents with a visible “smart” watermark that contains tell-tale user-specific information.
Keep tabs on them outside work and after hours.
On your files, that is. Shareholders, customers, and regulators expect you to protect confidential financial information and PII throughout the document lifecycle. Password-based document protection or Data Loss Protection (DLP) solutions, for example, cannot provide this level of security.
DLP aims to prevent data exfiltration, but files can still make it beyond your organization’s IT perimeter: on a USB stick, for instance, or via a personal cloud storage account.
With Fasoo Enterprise DRM, encryption and policy settings apply regardless of where the document lands and prevent unauthorized access. A confidential file remains protected even in the wrong hands.
Always and immediately involve higher-ups, IT, and HR…
…when (former) employees attempt to access specific documents. Sounds ridiculous, right?
Well, that’s because it is. Yet, some Information Rights Management (IRM) solutions expect data owners to relinquish control over individual documents to a degree that poses challenges for organizations with many users and constantly changing roles.
Workflows become work trickles. People find shortcuts. Overall data security suffers.
Fasoo’s centralized policy management capabilities allow for flexible, people-centric exception handling. It integrates with all leading federated authentication systems, minimizing risk when employees change departments or leave the company.
This approach ensures that everyone who needs to be is in the loop about a file’s security – the document creator, supervisors, IT, and HR. No home office surveillance required.
*
Zero Trust makes sense. Until it doesn’t.
Would you make Zero Trust your People & Culture or HR slogan? Let’s face it: You need a Zero Trust strategy to secure your data. As a tagline for your work culture, on the other hand, it would be a less than ideal pick.
With Fasoo Enterprise DRM, you don’t have to sacrifice trust and productivity by setting up remote work surveillance bridgeheads in your employees’ homes.
As a cornerstone of your Zero Trust strategy, Fasoo empowers your organization to maintain its work culture and trust within the team while still ensuring maximum data protection.
Data breaches continue to torment organizations. There are numerous examples of malicious or inadvertent data breaches throughout businesses and organizations of all types and sizes. Hackers get all the press, but insiders pose as great a risk as any external party when it comes to vulnerabilities.
Regardless of who you are, your information is under attack.
With the start of fall and most employers still focused on remote workers, now is a good time for a few tips on preventing a data breach.
Identity sensitive data – before you can prevent a data breach, you need to know the sensitive data you collect, store, transmit, or process. Hackers and malicious insiders target non-public personal information (NPI), personally identifiable information (PII), and intellectual property, like designs, patent documents, or trade secrets.
Encrypt sensitive data – encryption with a centralized access policy helps protect the security and privacy of files as they are transmitted, while on your computer, in the cloud, and in use. Encrypt all sensitive information with a data-centric security policy using Advanced Encryption Standard (AES) 256-bit cryptography. Only give access to those who need it to do their jobs.
Secure sensitive customer, employee, or patient files – store paper files containing sensitive information in a locked drawer, cabinet, safe, or another secure container when not in use. This becomes more of an issue as people continue to work from home and use local printers to print and review information.
Properly dispose of sensitive data – shred physical documents containing sensitive data prior to recycling. Remove all data from computers and electronic storage devices before disposing of them. If the documents are encrypted, there is less potential for a data breach even if accidentally left on a device.
Use password protection – password protect your computers, including laptops and smartphones, and access to your network and servers. Since so many applications are in the cloud, consider a single sign-on (SSO) and multi-factor authentication (MFA) solution to strengthen your access policies.
Protect against viruses and malware – install and use antivirus and antimalware software on all of your computers. Don’t open email attachments or other downloads unless you’re sure they’re from a trusted source. Phishing attacks are still one of the main culprits of data breaches.
Keep your software and operating systems up to date – install updates to security, web browser, operating system, and antivirus software as soon as they are available. Hopefully, these processes are automated, but it’s good to check and automate them if possible.
Secure access to your network – ensure your network firewall, proxy server, and other network appliances are up to date with patches. Enable your operating system’s firewall. Ensure your Wi-Fi network is password-protected, secure, encrypted, and hidden so that its network name or SSID can’t be picked up by the public. This is very important for work at home scenarios, even if you are using a VPN to access corporate resources.
Verify the security controls of third parties – before working with third parties that have access to your data or computer systems or manage your security functions, be sure their data protection practices meet your minimum requirements and that you have the right to audit them. It’s best to have a vendor risk management policy in place to address these needs.
Train your employees – people are the weakest link in security, so make sure your employees understand your data protection practices and their importance. Document your policies and practices, and distribute them to everyone. Review them regularly and update them as required. Be sure to retrain your staff as updates are made.
Did you know that paper-based incidents still account for a whopping 30 % of data breaches? It’s helpful to keep this statistic in mind and plan for secure print in your organization’s document protection program.
*
How well is your print infrastructure protected against security breaches? When market research firm Quocirca posed this question to more than 500 IT leaders worldwide at the end of last year, their response wasn’t exactly reassuring.
Only 33 % of respondents in the U.S. said they were completely confident, a drop from 50 % before the COVID-19 pandemic. What happened?
Work-from-home (WFH) arrangements are to blame, says Quocirca. And you thought unmanaged home office computers already created enough of a headache for IT? Well, think again.
The Quocirca report shines a harsh light on a piece of office equipment that’s omnipresent but often overlooked as a risk factor: the printer.
Increased risk through WFH printers
Printers remain underestimated as a threat to document security, and not for lack of evidence: 30 % of data breaches last year involved paper documents, according to the 2021 Privacy Incident Benchmark Report published by incident response specialist RadarFirst.
That’s 13 % down from the year before. But don’t pop open the champagne just yet. This number doesn’t account for sensitive data, such as Personally Identifiable Information (PII) of customers, that was mishandled or intentionally exfiltrated via unmanaged and unmonitored WFH printers. After all, who’d be able to tell?
Let’s put the risk in perspective. It’s helpful to remember that modern printers and print/scan/photocopy/fax multifunction devices are special-purpose computers. As such, they are susceptible to software exploits, online attacks, as well as data theft and leakage by insiders. But unintentional or deliberate misuse of printers and printouts aren’t the only risks to consider.
Auditability and chain-of-custody requirements are of equal concern. For example, in financial services, healthcare, and pharmaceutical companies, regulatory compliance demands the traceability of the PII paper trail. In the criminal justice system, another example, the law requires tracking the movement of evidence through its collection, safeguarding, and analysis lifecycle. This includes documenting when files are printed, by whom, and for what purpose.
I’ve written about printers and their role in data theft and leaks on this blog before here, here, and here. If mortgage applications or medical record printouts, for example, are left unattended in the paper output tray and end up in the wrong hands, the result may be costly. Think brand damages, litigation, or steep penalties and other enforcement action by state and federal regulators.
Do we need monitored print stations for remote workers?
Many organizations mitigate such risks to a certain degree by setting up dedicated print stations with closely monitored secure printers. Print activities of remote workers and how they handle the printouts, on the other hand, remain out of sight and beyond the control of staff. So what are IT’s options then?
Too often, these options are limited by a lack of resources – or outright impractical. Support employee-owned printers? Talk about a rabbit hole. Provision company-owned printers to remote workers and block unmanaged devices? Prevent employees from printing at home altogether?
Wanted: a sensible yet effective method to prevent confidential data from seeping out of some inkjet printer in a home office nook, without invading the privacy of remote employees. Enter secure print.
What is “secure print”?
The term “secure print” (or “secure printing”) describes functionalities that enable the prevention and detection of document leaks or exfiltration via print output. In digital rights management at the enterprise level (Enterprise DRM or EDRM), policy-based print protection enables data owners to centrally set and manage print-at-home rules, as well as mark unauthorized printouts.
Fasoo Enterprise DRM takes a printer-agnostic approach to secure printing. This eliminates problems with using different printers or print drivers. Here’s how it works:
The basic print permission setting is part of the Fasoo-encrypted document. In addition, Fasoo’s secure printing component – a.k.a. Fasoo Smart Print – lets organizations apply print protection policies on various levels, for plain and EDRM-secured documents alike.
Fasoo print protection enables organizations to
prevent printing of files that contain PII or other sensitive information, based on predefined patterns in the document, or mask sensitive data; users can request an exception to print an unmasked version;
require authentication before retrieving a printout, and also require users to enter a PIN or use a smart card before releasing a print job for added security;
apply visible watermarks that show a user name, date, time, IP address, and other company information to printouts without user intervention, to deter insider theft and as future forensic evidence; users can request an exception to print without a watermark.
Smart Print’s file-centric print protection means that IT maintains control and oversight regardless of which physical or virtual printer is used. A granular audit trail, including the text or image of the actual printed content, ensures maximum visibility into all print activities by employees and vendors.
For maximum print security in a WFH world, deploy Fasoo Smart Print as your organization’s remote network of monitored print stations – without the creepiness factor.
Find out more about secure printing with Smart Print and Fasoo Enterprise DRM here.
I read a Tweet recently from “Accidental CISO” about collecting laptops from terminated employees during the pandemic that I deemed retweetable (if that is a word). Some comments focused more on the hardware – how to get it back – but this got me thinking more about what is actually on the hardware. What sensitive information, like intellectual property, might reside on them? It also made me think, in a situation like this, how the potential for insider theft is far greater.
Files containing IP can be either printed on home printers, sent over email to personal accounts, saved on a USB stick, screen captured and so on. These are not necessarily actions of malice, but obvious desperation to assist with the basic need for employment.
In my last post, I talked about how many companies are not prepared to suddenly support a remote workforce and provided some thoughts on things you can do. But this tweet brings to the surface the extent of how unpreparedness can lead to (and this is going to sound weird) intentional, non-malicious behavior.
I encourage you to think about it, watch, and at the very least, start putting a plan in place to protect and control your unstructured business critical information. The time is now to do your best research so when you are ready to pull the trigger on your unstructured data security project, you will be able to hit the ground running.
Contact us if you want to talk about any of this and in the meantime, stay safe and healthy!
Overnight, companies across the globe were forced into a fully remote workforce. If you are prepared, under the best of circumstances, it can still be a challenge, but if you are not, the challenges are even greater and some things can potentially fall through the cracks. People working from home can lead to a few unintended bad habits. With business continuity being the priority, data is even more at risk as hackers and thieves see opportunity when your guard is down.
For companies that don’t have tools in place, and for that matter, those that don’t have the right tools in place, here are some things you can do while ensuring the health of your employees, and your business stays on track.
Reiterate document handling policies – remind workers creating documents of data classification schemes and to encrypt whenever possible for sensitive data. When in doubt, encrypt.
Remind your work-at-home staff of your security awareness training (SAT) (if you have a program in place) – there have been lots of reports of phishing and other types of scams going on because bad people will take advantage of the population when vulnerable. Ensure your employees know how to identify these things, whether you have programs in place or not.
Data sharing across email – it is always a best practice to remind workers that care be taken when sending an email with unprotected documents attached – double-check who is in the “To” and that appropriate protection is applied to what is sent.
Working in cloud applications – the clogged and slow internet may have some workers pulling documents out of the application to work on locally. And for the sake of expedience, some of these documents may be sent through email (see the previous comment), shared on a Zoom or Teams video conference, or remain on a local drive or in a folder, exposed to theft from outsiders.
Ensure your Wifi has a strong password and that your computers have anti-virus software installed – for the unprepared, some workers may be working on their personal laptops or desktops, may not have a VPN, may not have renewed the free anti-virus software installed, because “that will never happen to me”, and may not have created a strong Wifi password when first setting up their internet connection. Now might be the time to ask them to change passwords and check licenses on security software.
Printing – discourage printing sensitive information on home printers. While there isn’t much you can do to prevent this and foster secure printing, discouraging workers from printing sensitive documents locally and encouraging them to work in the applications. Besides, it is good for the environment (save a tree).
While all of these might seem like motherhood and apple pie, they are just good reminders at a time when things happen so fast.
The potential landmines for compliance with CCPA is pretty high.
One of the first things is that a lot of companies don’t know how to interpret the law. We saw that with GDPR for the year prior to it going into effect. CCPA is a lot like it, but there are likely still questions.
Secondly, is the DSRs (Data Subject Requests) or the right to be forgotten. People are very in tune with their privacy these days and will want to act on it, not only for the reduction of spam, but for the identity theft potential. The requests will likely come too fast and companies with a lot of data containing personally identifiable information (PII) – the very thing those DSs will be after them for – will find themselves in a position where they don’t know where to start.
Thirdly, most have also not started tackling unstructured data that may contain that PII. Most companies are working on dated data governance policies to begin with and haven’t updated systems, process, procedures, included unstructured data, and don’t have the tools in place to properly protect data. So they will need to first, find what data they have (whether it is dark or otherwise), and get rid of it based on its age and usefulness.
On a separate, yet related note, as with most research organizations, a recent webinar by AITE Group, touched on the privacy regulation subject. Since California has set their privacy regulations wheels in motion, and there are 11 other states that are making changes for the stricter, the U.S. is seemingly having problems with standardizing privacy laws across the nation. Arguments around who will enforce (which, by the way, was a common question with respect to GDPR), and how can’t be decided on. And this makes sense. For Europe, there are 27 member states, so they will enforce their own vs. the U.S. – we are one country. So while there does need to be a national data privacy law, let’s not hold our breath.
The best way to comply with CCPA and similar privacy regulations is to classify sensitive data as confidential and immediately encrypt it. This protects the data, controls user access and tracks the file wherever it travels. Rather than relying on complex classification processes to control what users can or cannot do, this approach optimizes classification and streamlines a path to protect and control your most sensitive data. You also don’t have to worry about location anymore, since the file is always encrypted and access controlled.
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
3rd Party Cookies (Analytics)
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Please enable Strictly Necessary Cookies first so that we can save your preferences!
In 2022, the average cost of a data breach in the financial services sector was $5.97 million. Financial institutions are heavily targeted and regulated because of the amount of Personally Identifiable Information (PII) and Payment Card Industry (PCI) data they have.
IT, security, 
January 28 marks Data Protection Day (or Data Privacy Day), an international effort to create awareness about the importance of respecting privacy, safeguarding data, and enabling trust. For companies entrusted with personal data, this day is the opportunity to take stock and ensure everyone’s data remains safe and does not get into the hands of unauthorized people.
As more operations move to the cloud, employees, contractors, and partners access sensitive data through a browser or remote desktop. Frequently users run reports to localize the data for further analysis.
Zero Trust is a major trend in 2022 and one that affects public and private sector organizations alike. Last year when the Biden administration in the US issued its 
Corporate data is the lifeblood of business and because of remote work and constant competitive pressures, it is more vulnerable than ever. Protecting that data while still making it available to those who need it is why many organizations are turning to 
Remote work is putting sensitive data at risk. That we can all agree on. Traditional endpoint protection frequently fails. So what about stronger surveillance of remote employees at home? 
Did you know that paper-based incidents still account for a whopping 30 % of data breaches? It’s helpful to keep this statistic in mind and plan for secure print in your organization’s document protection program.
I read a 
Overnight, companies across the globe were forced into a fully remote workforce. If you are prepared, under the best of circumstances, it can still be a challenge, but if you are not, the challenges are even greater and some things can potentially fall through the cracks. People working from home can lead to a few unintended bad habits. With business continuity being the priority, data is even more at risk as hackers and thieves see opportunity when your guard is down.
The potential landmines for compliance with CCPA is pretty high.